The EU Artificial Intelligence Act: What Businesses Need to Know
On March 13, 2024, the European Union Parliament approved the Artificial Intelligence Act, after nearly three years of deliberation. The EU Artificial Intelligence Act is the first major regulatory act aimed directly at addressing the risks posed by the commercialization/deployment of artificial intelligence (AI). The EU Parliament voted in favor of the Act which is expected to become law in May, after approval from the EU member states.
The EU AI Act separates AI systems into risk categories: unacceptable risk, high-risk, limited (or transparency) risk and minimal risk.
Any AI system deemed to pose an unacceptable risk is prohibited from being used in the EU. Unacceptable risk systems include AI platforms that use social scoring (evaluating individuals based on social behavior or personal traits causing unfavorable treatment), predictive policing (i.e., profiling), real-time biometric identification system in most circumstances, and manipulative or deceptive practices.
AI systems that pose a high risk are not prohibited, but they are heavily regulated. High-risk systems include platforms that: operate or manage critical infrastructure (road traffic, water, gas and electricity), impact access to or admissions to education institutions, make employment-related decisions and are used in the administration of justice or elections.
High-risk AI providers must, among other requirements:
- implement a risk management system;
- conduct data governance to ensure the training data is relevant, sufficiently representative and, to the extent possible, error free and complete to avoid bias;
- design the system to allow human oversight; and
- provide documentation to demonstrate compliance.
General purpose AI (GPAI) systems – large language model systems capable of performing a wide range of tasks – will not be classified as high risk but must meet certain transparency requirements, including compliance with laws, the publication of summaries of any copyrighted information used for training, and the labeling of AI-generated content. GPAI systems that pose systemic risk will be more strictly regulated.
Minimal-risk AI systems are not regulated under the EU AI Act. These include common AI systems, such as spam filters and search and recommendation engines.
Noncompliance with the EU AI Act can result in low grade penalties including nonfinancial warnings, with more egregious violations resulting in a fine up to the greater of €35 million or up to 7% of a provider’s total worldwide annual turnover (~annual revenue). The EU AI Act will take effect gradually, with prohibited risks commencing six months after entry into force and high-risk systems addressed 24–36 months after implementation.
Any business, regardless of where it is based, that has an EU presence and puts an AI system into service in Europe will be subject to the AI Act. Those that only deploy AI systems outside of Europe are subject to the AI Act when the output produced by their AI systems is used in Europe, with some exceptions. This is a broad reach, and any U.S. business that develops or provides AI systems, at any level, anywhere in the world, should review their development efforts to enable compliance once the AI Act takes effect. While there is no similar federal legislation currently pending in the U.S., the federal government has taken some steps to address AI-related issues on a national level. In the absence of federal legislation, U.S.-based businesses will face the risk of patchwork regulation at the state level, similar to what we have experienced with privacy regulation in the U.S.
The lawyers in Armstrong Teasdale’s AI practice counsel clients in the use of AI in their businesses and the legal and regulatory implications that come with it. They are continuing to monitor this and other related legislation. If you have any questions regarding the AI Act, please contact your regular AT lawyer or one of the listed authors.